k8s集群增加node节点过程和问题总结
文章目录
- 环境准备
- kubernetes环境是通过kubeadm初始化的,以自托管(self-hosted)模式搭建的(docker镜像)
- 1.关闭防火墙,关闭selinux
- 2.同步服务器时间
- 3.关闭swap分区
- 4.集群所有节点主机可以相互解析
- 5.master对node节点ssh互信
- 6.配置系统内核参数使流过网桥的流量也进入iptables/netfilter框架
- 7.修改主机名
- 节点安装docker kubeadm kubelet kubernetes-cni
- 1: 配置yum(所有节点)
- 2: 安装kubeadm、docker、kubelet
- 3: 下载镜像(注意版本):
- 4: 加入集群
- 遇到问题
环境准备
kubernetes环境是通过kubeadm初始化的,以自托管(self-hosted)模式搭建的(docker镜像)
1.关闭防火墙,关闭selinux
(生产环境按需关闭或打开)
systemctl disable firewalld.service
systemctl stop firewalld.service
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
检查:
systemctl is-enabled firewalld.service
systemctl status firewalld.service
getenforce
2.同步服务器时间
选择公网ntpd服务器或者自建ntpd服务器
3.关闭swap分区
echo "vm.swappiness=1">>/etc/sysctl.conf
sysctl -p
检查:
sysctl -a | grep “vm.swappiness”
4.集群所有节点主机可以相互解析
5.master对node节点ssh互信
ssh-keygen -t rsa
ssh-copy-id -i /root/.ssh/id_rsa.pub 172.16.xx.xx
6.配置系统内核参数使流过网桥的流量也进入iptables/netfilter框架
modprobe br_netfilter
echo -e 'net.bridge.bridge-nf-call-iptables = 1 \nnet.bridge.bridge-nf-call-ip6tables = 1' >> /etc/sysctl.conf && sysctl -p
或者
cat < /etc/sysctl.d/k8s.conf
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
EOF
sysctl --system
7.修改主机名
hostnamectl set-hostname node02.k8s.com
echo 'node02.k8s.com' >/etc/hostname
节点安装docker kubeadm kubelet kubernetes-cni
1: 配置yum(所有节点)
cat < /etc/yum.repos.d/kubernetes.repo
[kubernetes]
name=Kubernetes
baseurl=https://mirrors.aliyun.com/kubernetes/yum/repos/kubernetes-el7-x86_64/
enabled=1
gpgcheck=1
repo_gpgcheck=1
gpgkey=https://mirrors.aliyun.com/kubernetes/yum/doc/yum-key.gpg https://mirrors.aliyun.com/kubernetes/yum/doc/rpm-package-key.gpg
EOF
2: 安装kubeadm、docker、kubelet
注意:和master节点版本要一致,kubectl会自动安装
yum install -y yum-utils
yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo
yum -y install docker-ce docker-ce-selinux
yum install -y kubeadm-1.14.2 kubelet-1.14.2 docker-ce-18.09.3
systemctl enable kubelet && systemctl start kubelet
systemctl enable docker && systemctl start docker
3: 下载镜像(注意版本):
使用k8s.gcr.io镜像源仓库,可能会被墙,所以要提前手动下载镜像。
#!/bin/bash
images=(
kube-proxy:v1.14.2
pause:3.1
)
for imageName in ${images[@]} ; do
docker pull registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName
docker tag registry.cn-hangzhou.aliyuncs.com/google_containers/$imageName k8s.gcr.io/$imageName
done
4: 加入集群
kubeadm join 192.168.3.62:6443 --token f9vc9q.czje7ajf0qqfxtww --discovery-token-ca-cert-hash sha256:9b48669c620fce6a839f1d95938f542ff441156f45cdfd43f690819e9d9ba6df
遇到问题
kubeadm join报错及解决
1、报错:
kubeadm join —
[WARNING IsDockerSystemdCheck]: detected “cgroupfs” as the Docker cgroup driver. The recommended driver is “systemd”. Please follow the guide at https://kubernetes.io/docs/setup/cri/
原因k8s默认的cgroup-driver为cgroupfs,但是yum安装kubelet的时候自动修改为systemd,而docker通过docker info命令查看是cgroupfs,解决方法有两种。
方法一:
将k8s的修改为cgroupfs
#vim /usr/lib/systemd/system/kubelet.service.d/10-kubeadm.conf
Environment="KUBELET_CGROUP_ARGS=--cgroup-driver=cgroupfs"
#systemctl enable docker
#systemctl enable kubelet
#kubeadm join --token c04f89.b781cdb55d83c1ef 10.10.3.4:63 --discovery-token-ca-cert-hash sha256:986e83a9cb948368ad0552b95232e31d3b76e2476b595bd1d905d5242ace29af --ignore-preflight-errors=Swap
方法二:
修改docker的cgroup driver为systemd
mkdir /etc/docker
# Setup daemon.
cat > /etc/docker/daemon.json <2、报错
kubeadm join —
error execution phase preflight: couldn’t validate the identity of the API Server: abort connecting to API servers after timeout of 5m0s
原因:master节点的token过期了
解决:创建新的token,且命令不要写错
kubeadm token create #创建token
kubeadm token list #列出创建的token
#查到discovery-token-ca-cert-hash
openssl x509 -pubkey -in /etc/kubernetes/pki/ca.crt |openssl rsa -pubin -outform der 2>/dev/null | openssl dgst -sha256 -hex |sed 's/^.* //'
#加入节点
kubeadm join 192.168.3.62:6443 --token f9vc9q.czjexxx --discovery-token-ca-cert-hash sha256:9b48669c620fcxxxx
3、报错
[kubelet] Downloading configuration for the kubelet from the “kubelet-config-1.11” ConfigMap in the kube-system namespace configmaps “kubelet-config-1.11” is forbidden: User “system:bootstrap:7df77e” cannot get configmaps in the namespace “kube-system”
原因: kubeadm及kubelet版本与集群不一致。
卸载cri-tools、kubelet和kubeadm,并重新安装kubeadm和kubelet正确的版本,版本应依据master的版本来安装,不应高于master的版本。(如果kubelet版本高于kubeadm,则加入节点成功之后会一直处于NotReady状态)
4、报错
Failed create pod sandbox: rpc error: code = Unknown desc = failed pulling image “k8s.gcr.io/pause:3.1”: Error response from daemon: Get https://k8s.gcr.io/v2/: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
原因:新增节点需要下载pause:3.1镜像,默认镜像源gcr.io被GFW墙了
参考上面下载镜像方法解决。